PF can use domain resolution, but only at the time the rules are being loaded. If the IP address changes, the rules must be reloaded to obtain changed addresses. This also means that your DNS server, if used for resolution, must be available during boot. If this is not possible, you would want to place all names to be resolved in the PF server's hosts(5) file, and use "lookup file bind" in resolv.conf(5).

If you have a DNS server on the same platform -- i.e.: you have "nameserver 127.0.0.1" in resolv.conf(5) -- you need to be aware that PF rules are loaded by rc(8) before named(8) is started by rc(8). Therefore, you would require the same hosts(5) lookup for resolution.

I am trying to have PF redirect outgoing requests (inside my LAN) that are pointing to my domain name/DNS so they do not first travel out of my network to the internet and than back in again.

So instead of:

user wants to visit my locally hosted website, types URL, browser forwards query to DNS...etc and than is redirected out into the internet to access "domain name" which happens to just point back to my own network. (this fails and is a waste of bandwidth)

I would like instead of going to the internet to access my internal website that my internal PF firewall will simply redirect anything to URL port 80 to my internal web server. Thus no more wasted bandwidth and hopefully will actually work.

jggimi

Hmmm its unfortunate that PF will not "lookup" the IP on-the-fly. This defeats the full purpose of putting DNS as apposed to IP. (for me)

Would you be able to show a sample code for PF that would work for redirection using DNS Name (I will have to just reload my config if my IP changes.)

The firewall is acting as a middle-man type thing. So it has internal and external interfaces. Internal would be connecting to the internal network and external would be connecting to the exterior portion of my network.

...so they do not first travel out of my network to the internet and than back in again....

That can be solved with local DNS. e.g.: When inside your private LAN, your local DNS server(s) respond to a resolution request for "our.webserver.inhere.com" with your inside-the-firewall address. No need to redirect with PF.

Quote:

Hmmm its unfortunate that PF will not "lookup" the IP on-the-fly.

There would be a significant performance impact, as each and every test of such a rule would require either an /etc/hosts lookup or a DNS request.

Quote:

Would you be able to show a sample code for PF that would work for redirection using DNS Name (I will have to just reload my config if my IP changes.)

I have never used name resolution with PF, but according to pf.conf(5), host names may be used in tables or rules. Resolution is done at table load or ruleset load time. ":0" may be appended to a rule host name to limit the resolution to the first IPv4 or IPv6 address resolved, but, in tables, all resolved addresses for a hostname are added to the table.

In your first post, you said of your rdr rules:

Quote:

I have tried adding redirect rules for my internal interface but they do not seem to be working.

You don't say if there are syntax failures or other issues. If the rules load, you can use pfctl(8) with "-s <rule-section>" to see the various components of your resolved rule set.

With DNS I know I can manually enter the info there. However my issue is I have one domain name with multiple servers (IPs). I'd rather not have to do server1.domainname, server2.domainname...etc (these won't exist outside) as well I would prefer to filter based on port used.

Yes the rules do go through. I have not had a chance to test with pfctl -s yet.

If you need to, you can do further confirmation. On your OpenBSD system, you can use tcpdump(8) to watch packets as they move in and out, and, if you were to set your rules to log traffic, you could also use tcpdump(8) with pflogd(8) and pflog(4). Your destination webservers may have tcpdump(8) or similar tools available.

The better performing solution would be to use split DNS; if you set up an "internal zone" DNS server, then you will not need to re-route all packets destined for internal addresses through your firewall, as this solution you're stuck on will do.